SSTP VPN server 2012 third party certificate and root certificate

Hey.  I got this server 2012 with SSTP VPN configured and running.

The setup I used is the standard SSTP setup like these links (A root certificate CA and a Self-signed for external. )

http://www.windows-server-2012-r2.com/vpn-with-nps.html
https://www.youtube.com/watch?v=aKV--c0zmJc

I like the security in this setup, but is it possible to put in a third-party certificate (instead of the self-signed) and still have/use the root certificate for security/validation.   I can not find out how to combine the third-party certificate with the Root CA.

Is it possible?
conceptdataAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
Just an FYI - It's incorrect to refer to a certificate issued by a certificate authority as "self-signed", even if the CA is a private one (i.e. an internal PKI).

I'm not sure what you're hoping to gain.  When you set Routing and Remote Access to use a certificate as shown in the screenshot (taken from your first link)
RRAS screenshotyou're telling it what certificate to use to secure the connection (and at the same time validating which server you're connecting to).  You can use a private cert or third-party here - it doesn't matter - the name just has to be the FQDN that you're connecting to.

I think you have a misconception that having a root certificate from your own CA somehow increases security.  When you get down to it, the only difference between a root certificate from a public CA and your own CA, is that the public ones are likely to already be installed in your Trusted Root Certification Authorities store (or other store depending on application and/or OS), so in effect your client machine comes pre-configured to trust other certificates issued by those CAs.
0
conceptdataAuthor Commented:
thanks to your reply, It seems that you are an expert on this subject:-)

Well i would like to explain my goal with this.

As Standard the SSTP VPN can be createt from any client, also clients pc outside the domain, with standard NPS policy setup on the RRAS.
Just have to create a new vpn connection and then connect with domain credentiels and your are through.

besides the SSL security, the only validation here is the username and password.

With a local root certificate required on the client, to validate together with pbublic CA and username and password validation it would be more secure i think.

I tried to play around with the NPS settings, but as far as I can see the security features is mostly encryption settings.  

So is there a way around without using Radius.
0
footechCommented:
The only security/restriction you gain would come from needing to have the root certificate from your private/internal CA installed on the client machines.  So, that restriction is in place when you use a certificate from your internal PKI on the RRAS server.  Trying to also use a third-party (public) certificate doesn't add anything in this scenario.

So if you only want domain machines to be able to connect, just use a cert issued by your own PKI.  Domain machines will get the root certificate from an enterprise CA automatically.  Machines not joined to the domain could also connect if you manually deploy the root cert to them.
0
conceptdataAuthor Commented:
ok, thanks.

With a client pc outside the domain I am still able to connect the SSTP vpn with only username and password. It doesn´t fail on the "required" enterprise root CA. It goes straight through.
 And if I look in the Certificate MMC it hasen´t push the enterprise root CA to the client.
???
0
footechCommented:
Hmm, it should definitely fail if the root certificate isn't in Trusted Root Certification Authorities.  You might want to check both your user store and computer store (what you select when you add the Certificates snap-in to the MMC).

See, the following link, scenario 5.
https://support.microsoft.com/en-us/kb/947031

To further strengthen things, you could use EAP-TLS as the authentication mechanism (inside SSTP).  In this case, each client would have to have a certificate issued from your CA to prove their identity instead of using a username and password.  I don't have any guides handy for how to set this up though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.